This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive
Domain Name System (DNS) name servers using spoofed UDP packets.
Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We
study this data in order to further understand the basics of the reported recursive name server
amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the
networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as
many as 140,000 exploited name servers. In addition to the increase in the response packet size, the
large UDP packets create IP protocol fragments. Several other responses also contribute to the overall
effectiveness of these attacks.

The risks involved with the recursive name server feature, as well as those of packet spoofing are well
known, yet have been treated more as a theoretical issue. The attack under study was anticipated as
early as 2002 (gnupg 2002). Earlier attacks using queries to non-authoritative servers were for a
reflection attack usingMX records (Mirkovic, Dietrich, Dittrich. and Reiher). To our knowledge, this
is the first documentation of a new form of a recursive name server reflection attack designed to use
the significantly larger data amplification available from the extended capabilities of extended DNS
standards . In addition to this attack technique, recursion can be leveraged for other uses such as theft
of DNS resources (CERT UNI-Stuttgart 2003).